Files
ttl.sh/.github/workflows/deploy.yml
Marc Campbell fa9959bff1 Target prerelease branch for deployment testing
Temporarily deploy on merge to prerelease branch instead of main.
This allows testing the deploy workflow without requiring PR approval.

TODO: Switch back to main after testing is complete.
Signed-off-by: Marc Campbell <marc.e.campbell@gmail.com>
2026-02-03 11:02:50 +00:00

91 lines
3.3 KiB
YAML

name: Deploy ttl.sh
on:
push:
branches:
- prerelease # Temporary: deploy on prerelease for testing
# - main # TODO: Switch back to main after testing
workflow_dispatch: # Manual trigger for emergencies
concurrency:
group: deploy-production
cancel-in-progress: false # Don't cancel in-progress deploys
jobs:
build-and-push:
name: Build & Push Images
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Doppler CLI
uses: dopplerhq/cli-action@v3
- name: Authenticate to GCP Artifact Registry
run: |
# Get GCP credentials from Doppler and configure Docker
doppler secrets get GCS_KEY_ENCODED --plain | base64 -d > /tmp/gcp-key.json
gcloud auth activate-service-account --key-file=/tmp/gcp-key.json
gcloud auth configure-docker us-east4-docker.pkg.dev --quiet
rm /tmp/gcp-key.json
env:
DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push images
run: |
docker compose build
docker compose push
env:
DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
deploy:
name: Deploy to Production
runs-on: ubuntu-latest
needs: build-and-push
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Doppler CLI
uses: dopplerhq/cli-action@v3
- name: Install Ansible
run: |
sudo apt-get update
sudo apt-get install -y ansible
ansible-galaxy collection install community.general google.cloud community.docker
- name: Setup SSH key
run: |
mkdir -p ~/.ssh
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
ssh-keyscan -H 178.156.198.215 >> ~/.ssh/known_hosts
- name: Run Ansible deployment
working-directory: ./ansible
env:
DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
run: |
ansible-playbook \
-e "cloudflare_api_token=$(doppler secrets get CF_API_TOKEN --plain)" \
-e "cloudflare_zone_id=$(doppler secrets get CF_ZONE_ID --plain)" \
-e "cloudflare_email=$(doppler secrets get LE_EMAIL --plain)" \
-e "le_email=$(doppler secrets get LE_EMAIL --plain)" \
-e "gcloud_sa_email=$(doppler secrets get GOOGLE_APPLICATION_CREDENTIALS_EMAIL --plain)" \
-e "gcloud_sa_key_json=$(doppler secrets get GCS_KEY_ENCODED --plain)" \
-e "gcloud_registry_host=$(doppler secrets get GOOGLE_CLOUD_ARTIFACT_REGISTRY_URI --plain)" \
-e "gcs_key_encoded=$(doppler secrets get GCS_KEY_ENCODED --plain)" \
-e "hook_token=$(doppler secrets get HOOK_TOKEN --plain)" \
-e "hook_uri=$(doppler secrets get HOOK_URI --plain)" \
-e "redis_password=$(doppler secrets get REDIS_PASSWORD --plain)" \
-e "rediscloud_url=$(doppler secrets get REDISCLOUD_URL --plain)" \
-e "replreg_host=$(doppler secrets get REPLREG_HOST --plain)" \
-e "replreg_secret=$(doppler secrets get REPLREG_SECRET --plain)" \
-e "registry_url=$(doppler secrets get REGISTRY_URL --plain)" \
playbooks/site.yml